Dr. Greg Bernstein
November 1st, 2021
From TTPs Within Cyber Threat Intelligence
“patterns of activities or methods associated with a specific threat actor or group of threat actors”
When an incident does happen, related TTPs help establish potential attribution and an attack framework. This can sometimes aid a team in identifying valuable data such as likely vectors and payloads as well as command and control infrastructure (C2).
From Wikipedia: APT
An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state sponsored groups conducting large-scale targeted intrusions for specific goals.
From Wikipedia: APT
Advanced: Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include commercial and open source computer intrusion technologies and techniques, but may also extend to include the intelligence apparatus of a state.
Persistent: Operators have specific objectives, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful.
U.S. Department of Defense, 2007 (F2T2EA)
Exploitation: After the weapon is delivered to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code.
Installation: Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment.
Command and Control (C2): Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel. APT malware especially requires manual interaction rather than conduct activity automatically. Once the C2 channel establishes, intruders have “hands on the keyboard” access inside the target environment.
Actions on Objectives: Only now can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment;
From Kill-chain PDF
The intrusion kill chain becomes a model for actionable intelligence when defenders align enterprise defensive capabilities to the specific processes an adversary undertakes to target that enterprise. Defenders can measure the performance as well as the effectiveness of these actions, and plan investment road maps to rectify any capability gaps.
From MITRE ATT&CK®: Design and Philosophy
MITRE ATT&CK is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target. ATT&CK focuses on how external adversaries compromise and operate within computer information networks.
ATT&CK = Adversary Tactics, Techniques and Common Knowledge
Reconnaissance: The adversary is trying to gather information they can use to plan future operations.
Resource Development: The adversary is trying to establish resources they can use to support operations.
Initial Access: The adversary is trying to get into your network.
Execution: The adversary is trying to run malicious code.
Persistence: The adversary is trying to maintain their foothold.
Privilege Escalation: The adversary is trying to gain higher-level permissions.
Defense Evasion: The adversary is trying to avoid being detected.
Credential Access: The adversary is trying to steal account names and passwords.
Discovery: The adversary is trying to figure out your environment.
Lateral Movement: The adversary is trying to move through your environment.
Collection: The adversary is trying to gather data of interest to their goal.
Command and Control: The adversary is trying to communicate with compromised systems to control them.
Exfiltration: The adversary is trying to steal data.
Impact: The adversary is trying to manipulate, interrupt, or destroy your systems and data.
From MITRE ATT&CK ®: Design and Philosophy
Operation Dianxun - CN espionage campaign targeting telecommunication companies - AlienVault
Portion of STIX file from Operation Dianxun - CN espionage campaign targeting telecommunication companies - AlienVault
{
"type": "attack-pattern",
"spec_version": "2.1",
"id": "attack-pattern--85e864e1-5dd0-4065-964d-05df90defd98",
"created": "2021-03-16T17:09:49.252Z",
"modified": "2021-03-16T17:09:49.252Z",
"name": "Scheduled Task/Job",
"description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\n\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1053",
"external_id": "T1053"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/557.html",
"external_id": "CAPEC-557"
},
{
"source_name": "TechNet Task Scheduler Security",
"description": "Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016.",
"url": "https://technet.microsoft.com/en-us/library/cc785125.aspx"
}
]
},Portion of STIX file from Operation Dianxun - CN espionage campaign targeting telecommunication companies - AlienVault
{
"type": "threat-actor",
"spec_version": "2.1",
"id": "threat-actor--a243e69e-c2fe-4b1b-bedf-493b30198c86",
"created": "2021-03-16T17:09:49.252Z",
"modified": "2021-03-16T17:09:49.252Z",
"name": "Mustang Panda",
"description": "This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.\nIn April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX.\nRecently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.",
"aliases": [
"BRONZE PRESIDENT",
"HoneyMyte",
"Red Lich"
],
"labels": [
"activist"
],
"external_references": [
{
"source_name": "MISP Threat Actor list",
"url": "https://www.cfr.org/interactive/cyber-operations/mustang-panda"
},
{
"source_name": "MISP Threat Actor list",
"url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/"
},
{
"source_name": "MISP Threat Actor list",
"url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
},
{
"source_name": "MISP Threat Actor list",
"url": "https://www.secureworks.com/research/threat-profiles/bronze-president"
}
]
},From Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA 2018
Lemon Duck brings cryptocurrency miners back into the spotlight, October 2020
